Electronic cash system

ABSTRACT

An electronic cash system processes a payment for an amount due, the payment being carried out using previously deposited funds. An account management device stores information identifying a user and information of an amount of money available to be utilized by the user based on the previously deposited funds. A settlement processing device instructs a payment institution to settle. A control device manages the information identifying the user and an account number in the payment institution of the user, the account number being encrypted with a public key of the settlement processing device, instructs the account management device to change a balance of the stored previously deposited funds of the user based on the information identifying the user, and instructs the settlement processing device to execute a settlement transaction based on the account number in the payment institution.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a division of U.S. application Ser. No. 10/689,803,filed Oct. 21, 2003, which is a division of U.S. application Ser. No.09/555,850, filed Jun. 5, 2000, and now U.S. Pat. No. 6,766,306, issuedJul. 20, 2004, which is a national stage of International ApplicationNo. PCT/JP99/055789, filed Oct. 8, 1999, which claims priority fromJapanese Patent Application No. P10-286341, filed Oct. 8, 1998, thedisclosures of which are incorporated herein by reference.

BACKGROUND OF THE INVENTION

1. Technical Field

The present invention relates to an electronic cash system, and moreparticularly to an electronic cash system for processing a payment foran amount due with previously deposited funds.

2. Background Art

Current cash management schemes for electronic cash systems may begenerally classified into a “balance management scheme” which managesthe balance, utilizing devices immune to tampering, on the assumptionthat the balance cannot be tampered, and an “electronic bank notescheme” which assigns a face value and an identification number toelectronic cash in order to manage the ID of cash issued by a center tocheck whether or not any bank note is double spent.

To put an electronic cash system to a practical use, it is necessary torealize the anonymity for user's personal information and purchaseinformation, and an open loop type distribution which enables money tobe transferred among arbitrary user devices, shops, and so on.

Mondex (trade name) is an electronic money system in accordance with thebalance management scheme which satisfies the requirements mentionedabove and has been widely used. In Mondex, serviced user devices andshops offering articles each hold a Mondex card, and the shops arefurther required to be equipped with a special apparatus for readingfrom and writing into a Mondex card, so that electronic cash is inputtedor outputted therethrough.

The security on the user of Mondex on the Internet relies on thesecurity ensured by the Mondex card which enhances the security byalways providing two cryptographic modules such that the card isutilized by switching one of the modules which ensures the security.Also, since the Mondex system does not manage trade information at all,the anonymity is held for personal information and purchase logs.

With the Mondex system, however, the shops are required to managespecial apparatus and burdened with labor and time therefor. Inaddition, since the Mondex system does not manage any trade information,an unauthorized use, if any, cannot be detected. Furthermore, thecirculation of money cannot be managed.

SUMMARY OF THE INVENTION

The present invention has been made in view of the circumstance asmentioned above, and its object is to enable secure utilization ofelectronic cash, protection of personal information and individual'spurchase information from being unnecessarily captured by respectiveapparatus, detection of unauthorized activities, and management ofcirculation of money without the need for managing special apparatus.

According to an aspect of the invention, an electronic cash systemprocesses a payment for an amount due, the payment being carried outusing previously deposited funds. An account management device includesstorage means for storing information identifying a user and informationof an amount of money available to be utilized by the user based on thepreviously deposited funds. A settlement processing device includessettlement instructing means for instructing a payment institution tosettle. A control device includes management means for managing theinformation identifying the user and for managing an account number inthe payment institution of the user, the account number being encryptedwith a public key of the settlement processing device, balance changeinstructing means for instructing the account management device tochange a balance of the stored previously deposited funds of the userbased on the information identifying the user, and settlement executioninstructing means for instructing the settlement instructing means ofthe settlement processing device to execute a settlement transactionbased on the account number in the payment institution.

According to another aspect of the invention, an electronic cash systemprocesses a payment for an amount due, the payment being carried outusing previously deposited funds. A virtual bank includes an accountmanagement unit operable to store information identifying a user andinformation of an amount of money available to be utilized by the userbased on the previously deposited funds. A clearing house includes aclearing unit operable to instruct a payment institution to settle. Acontrol center includes a user management unit operable to manage theinformation identifying the user and to manage an account number in thepayment institution of the user, the account number being encrypted witha public key of the clearinghouse, and a communication unit operable toinstruct the virtual bank to change a balance of the stored previouslydeposited funds of the user based on the information identifying theuser and to instruct the clearing unit of the clearinghouse to execute asettlement transaction based on the account number in the paymentinstitution.

The foregoing aspects, features and advantages of the present inventionwill be further appreciated when considered with reference to thefollowing detailed description and accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram illustrating the configuration of an electronic cashsystem to which the present invention is applied;

FIG. 2 is a flow chart for explaining the processing for initiallydepositing funds and registering a user ID in a virtual bank 4;

FIG. 3 is a diagram showing an example of data for certifying a userdevice;

FIG. 4 is a diagram for explaining the processing for mutualauthentication;

FIG. 5 is a flow chart for explaining the processing for a user device 1to deposit funds in the virtual bank 4 second and subsequent times;

FIG. 6 is a flow chart for explaining the processing for registering ashop 2 in a center 3 and in the virtual bank 4;

FIG. 7 is a diagram showing an example of data for certifying a shop;

FIG. 8 is a flow chart for explaining the processing for transferringelectronic cash from a user device 1-2 to a user device 1-1;

FIG. 9 is a flow chart for explaining the processing for transferringelectronic cash from the user device 1-2 to the user device 1-1;

FIG. 10 is a flow chart for explaining the processing for a payment fromthe user device 1 to the shop 2; and

FIG. 11 is a flow chart for explaining the processing for depositingproceeds into an account of the shop 2.

DETAILED DESCRIPTION Best Mode for Carrying Out the Invention

Prior to explaining embodiments of the present invention, features ofthe present invention will be set forth below with a correspondingimplementation (one example) added in parenthesis after each means inorder to clarify a corresponding relationship between each means of theinventions described in claims and the following embodiments. Thedescription, however, is not intended to limit each means to thatdescribed below.

Specifically, an electronic cash system includes an account managementapparatus (for example, a virtual bank 4 in FIG. 1) includes storagemeans (for example, an account management unit 45 in FIG. 1) for storinginformation for identifying a user, and the amount of money utilized bythe user based on the previously deposited funds, a settlementprocessing apparatus (for example an clearing house 5 in FIG. 1)includes settlement instructing means (for example, a clearing unit 55in FIG. 1) for instructing a payment institution to settle, a controlapparatus (for example, a center 3 in FIG. 1) includes management means(for example, a user management unit 35 in FIG. 1) for managing theinformation for identifying a user, and an account number in the paymentinstitution of the user, encrypted with a public key of the settlementapparatus, balance change instructing means (for example, acommunication unit 37 in FIG. 1) for instructing the account managementdevice to change the balance of the deposited funds of the user, storedin the storage means of the account management apparatus, based on theinformation for identifying a user managed by the management means, andsettlement execution instructing means (for example, the communicationunit 37 in FIG. 1) for instructing the settlement instructing means ofthe settlement processing apparatus to execute a settlement based on theaccount number in the payment institution managed by the managementmeans.

FIG. 1 is a diagram representing the configuration of an electronic cashsystem to which the present invention is applied. A user device 1-1purchases an article or receives a service from a shop 2, and pays theprice therefor to the shop 2 through a center 3, the virtual bank 4 anda clearing house 5. A user device 1-2 purchases an article or receives aservice from a shop 2, and pays the price therefor to the shop 2 throughthe center 3, the virtual bank 4 and the clearing house 5. The shop 2provides articles or services to the user device 1-1 or 1-2, andreceives payments from the user device 1-1 or the user device 1-2through the center 3, the virtual bank 4 and the clearing house 5. Thecenter 3 stores predetermined data on the user device 1-1, the userdevice 1-2 and the shop 2, and instructs the clearing house 5 to executesettlement transactions for the user device 1-1, the user device 1-2 andthe shop 2. The virtual bank 4, which is an institution for issuingelectronic money, issues IDs to units to which electronic money isissued (the user device 1-1 or 1-2 and the shop 2), and manages thebalance or the amount of sales corresponding to the IDs. The clearinghouse 5 executes payment and deposit procedures for each account or eachcard number of the user device 1-1 or 1-2 and the shop 2 for a bank 8 ora card company 7. A certificate authority 6 responds to requests of theuser device 1-1 to the clearing house 5 to issue a certificate includingpredetermined data.

A mutual authentication unit 11-1 of the user device 1-1 mutuallyauthenticates with the user device 1-2, the shop 2, the center 3 or thecertificate authority 6 through the processing later described. Astorage unit 12-1 is composed of elements having tamper immunity forstoring user ID, balance, and uncleared amount of money for electronicmoney. An encryption unit 13-1 encrypts predetermined data to betransmitted to the user device 1-2, the shop 2 or the center 3, such asthe amount of purchase, information on purchased articles, user ID ofelectronic money, and so on. A decryption unit 14-1 decrypts encryptedinformation such as a user ID, amount, balance and so on which may bereceived from the user device 1-2, the shop 2, the center 3 or thecertificate authority 6. A signature unit 15-1 applies a hash functionto predetermined data such as the amount of purchase, information onpurchased articles, user ID of electronic money, and so on, transmittedto the user device 1-2, the shop 2, the center 3 or the certificateauthority 6, to calculate a hash value, and encrypts the hash value witha predetermined key to create a signature. The signature unit 15-1 alsoexamines data or a signature added to data, which may be received fromthe user device 1-2, the shop 2, the center 3 or the certificateauthority 6, to determine whether or not the data has not been tampered.A communication unit 16-1 transmits predetermined data to the userdevice 1-2, the shop 2, the center 3 or the certificate authority 6, andreceives data transmitted from the user device 1-2, the shop 2, thecenter 3 or the certificate authority 6.

A mutual authentication unit 11-2, a storage unit 12-2, an encryptionunit 13-2, a decryption unit 14-2, a signature unit 15-1, and acommunication unit 16-2 of the user device 1-2 are similar to the mutualauthentication unit 11-1, the storage unit 12-1, the encryption unit13-1, the decryption unit 14-1, the signature unit 15-1, and thecommunication unit 16-1, respectively, of the user device 1-1, so thatexplanation thereon is omitted. In the following, the user device 1-1and the user device 1-2 are simply referred to as the “user device 1”unless they should be particularly distinguished from each other.

A mutual authentication unit 21 of the shop 2, a mutual authenticationunit 31 of the center 3, a mutual authentication unit 41 of the virtualbank 4, and a mutual authentication unit 51 of the clearing house 5perform processing similar to the mutual authentication unit 11-1 of theuser device 1-1, so that explanation thereon is omitted.

An encryption unit 23 of the shop 2, an encryption unit 32 of the center3, an encryption unit 42 of the virtual bank 4, and an encryption unit52 of the clearing house 5 perform processing similar to the encryptionunit 13-1 of the user device 1-1, so that explanation thereon isomitted.

A decryption unit 24 of the shop 2, a decryption unit 33 of the center3, a decryption unit 43 of the virtual bank 4, and a decryption unit 53of the clearing house 5 perform processing similar to the decryptionunit 14-1 of the user device 1-1, so that explanation thereon isomitted.

A signature unit 25 of the shop 2, a signature unit 34 of the center 3,a signature unit 44 of the virtual bank 4, and a signature unit 54 ofthe clearinghouse 5 perform processing similar to the signature unit15-1 of the user device 1-1, so that explanation thereon is omitted.

A communication unit 26 of the shop 2, a communication unit 37 of thecenter 3, a communication unit 46 of the virtual bank 4, and acommunication unit 56 of the clearing house 5 perform processing similarto the communication unit 16-1 of the user device 1-1, so thatexplanation thereon is omitted.

A storage unit 22 of the shop 2 is composed of elements having tamperimmunity for storing shop IDs, the amount of sales, and so on.

A user management unit 35 of the center 3 stores and manages a creditcard number of a user which is encrypted with the user's public keys Kpucorresponding to the user ID and with a public key Kppg of the clearinghouse 5. A shop management unit 36 of the center 3 stores and manages anaccount number of the shop 2 which is encrypted with a public key Kpm ofthe shop 2 corresponding to a shop ID and with the public key Kppg ofthe clearing house 5.

An account management unit 45 of the virtual bank 4 stores the balanceof electronic cash for a user corresponding to a user ID, and the amountof sales for the shop 2 corresponding to the shop ID.

A clearing unit 55 of the clearing house 5 instructs the bank 8 or thecard company 7 to execute payment and deposit procedures for each ofaccounts of the user device 1-1 or 1-2 and the shop 2.

While FIG. 1 illustrates as if the user device 1, the shop 2, the center3, the virtual bank 4 and the clearing house 5, the certificateauthority 6, and the credit company 7 and the bank 8 exist independentlyof one another, some functions of them may be collected into one. Forexample, the functions provided by the center 3, the virtual bank 4 andthe clearing house 5 may be combined into the center 3.

The processing performed by the user device 1 when it initially depositsfunds and registers its user ID in the virtual bank 4 will be explainedwith reference to a flow chart of FIG. 2. At step S11, the communicationunit 16 of the user device 1 transmits personal information, accountinformation and the public key Kpu of the user device 1 to thecertificate authority 6. Here, the personal information refers to thatwith which the user device 1 can be identified, for example, ID or thelike. The certificate authority 6 receives the data transmitted by thecommunication unit 16 of the user device 1. At step S12, the certificateauthority 6 applies a predetermined hash function to the receivedpersonal information, account information and public key Kpu of the userdevice 1 to generate a hash value which is encrypted with a secret keyKsca of the certificate authority 6 to create a signature which is thenappended to the personal information, the account information, and thepublic key Kpu of the user device 1 to create a certificate which istransmitted to the user device 1. FIG. 3 shows an example of thecertificate for the user device. The certificate may include the name(ID) of the certificate authority, a certificate number (ID), anexpiration date of the certificate, and so on in addition to thoseenumerated above. The communication unit 16 of the user device 1receives the data transmitted by the certificate authority 6.

The signature is data attached to data or a certificate for checking itfor tampering and authenticating its creator. The signature is createdby applying a hash function to data to be transmitted to generate a hashvalue which is encrypted with a secret key of a public key cryptosystem.

The hash function and matching of signature will be explained. The hashfunction is a function which accepts predetermined data to betransmitted as an input, and compresses the predetermined data to dataof a predetermined bit length which is outputted as a hash value. Thehash function is characterized in that an input is predicted from a hashvalue (output) with difficulties, a large number of bits in the hashvalue changes when one bit in data inputted to the hash function haschanged, and input data having the same hash value is difficult to findout.

A recipient, who has received a signature and data, decrypts thesignature with the public key of the public key cryptosystem to obtainthe result (hash value). Further, a hash value is calculated for thereceived data, and it is determined whether or not the calculated hashvalue is equal to the hash value obtained by decrypting the signature.If it is determined that the hash value of the transmitted data is equalto the decrypted hash value, it is found that the received data is nottampered, and is data transmitted from a source which holds a secret keycorresponding to the public key. As the hash function for the signature,MD4, MD5, SHA-1 or the like may be employed.

Next, the public key cryptosystem will be explained. In contrast with acommon key cryptosystem which employs the same key (common key) forencryption and decryption, the public key cryptosystem employs a keyused for encryption different from a key for decryption. With the use ofthe public key cryptosystem, even if one key is published, the other canbe held in secret. A key which may be published is referred to as a“public key,” while the other key which is held in secret is referred toas a “secret key.”

The RSA (Rivest-Shamir-Adleman) encryption, which is representative ofpublic key cryptosystem, will be explained in brief. First, twosufficiently large prime numbers p and q are chosen, and the product nof p and q is calculated. Then, the least common multiple L of (p−1) and(q−1) is calculated. Further, a number e, which is equal to or more thanthree and less than L and is relatively prime with L, is found (i.e., anumber which can divide commonly both e and L is only one).

Next, a multiplicative inverse element d of e related to amultiplication to modulus L is found. In other words, ed=1 mod L isestablished among d, e and L, so that d can be calculated by theEuclidean mutual division. In this event, n and e are chosen to bepublic keys, while p, q and d are chosen to be secret keys.

A cryptogram C is calculated from a clear text M through the processingrepresented by Equation (1):C=Mˆe mod n  (1)

The cryptogram C is decrypted to the clear text M through the processingrepresented by Equation (2):M=Cˆd mod n  (2)

While the demonstration is omitted, a clear text can be converted to acryptogram by the RSA encryption and can be decrypted because thisrelies on Fermat's minor theorem, and Equation (3) is established:M=Cˆd=(Mˆe)ˆd=Mˆ(ed)mod n  (3)

If the secret keys p and q are known, the secret key d can be calculatedfrom the public key e. However, if the public key n has a number ofdigits so large that the prime factorization for the public key n isdifficult in terms of the amount of computations, the secret key dcannot be computed from the public key e and therefore cannot bedecrypted even if only the public key n is known. As described above,the RSA encryption can provide a key used for encryption and a key fordecryption which are different from each other.

Also, an elliptic curve cryptosystem, which is another example of publickey cryptosystem, will be explained in brief. A certain point on aelliptic curve yˆ2=xˆ3+ax+b is assumed to be B. An addition of a pointon the elliptic curve is defined, where nB represents the result ofn-time additions of B. Similarly, a subtraction is also defined. It hasbeen proven difficult to calculate n from B and nB. B and nB are chosento be public keys, while n is chosen to be a secret key. Cryptograms C1and C2 are calculated using a random number r from a clear text Mthrough Equation (4) and Equation (5), respectively, with the publickeys:C1=M+rnB  (4)C2=rB  (5)

The cryptograms C1 and C2 are decrypted to the clear text M through theprocessing represented by Equation (6):M=C1−nC2  (6)

Only those who have the secret key n can decrypt the cryptograms. Asdescribed above, the elliptic curve cryptosystem can also provide a keyused for encryption and a key for decryption which are different fromeach other, as is the case of the RSA encryption.

At step S13, the mutual authentication unit 11 of the user device 1mutually authenticates with the mutual authentication unit 31 of thecenter 3, and they share a coherence of random numbers R2∥R3, laterdescribed, as a temporary key Ktsu between the center 3 and the userdevice 1. A procedure for the mutual authentication will be describedlater with reference to a flow chart of FIG. 4. At step S14, theencryption unit 13 of the user device 1 encrypts the user's credit cardnumber, which has been previously stored, with the public key Kppg ofthe clearing house 5, and the signature unit 15 appends the user'ssignature to the amount of issued electronic cash which has been set bythe user device. In this event, the user's signature involves applying ahash function to the amount of issued electronic cash, and encrypting aresulting hash value with the secret key Ksu of the user 1. Theencryption unit 13 of the user device 1 encrypts the encrypted creditcard number and the amount of issued electronic cash appended with thesignature with the temporary key Ktsu. The communication unit 16transmits them to the center 3. The communication unit 37 of the center3 receives the credit card number and the amount of issued electroniccash, transmitted thereto from the user device 1.

At step S15, the decryption unit 33 of the center 3 decrypts the creditcard number and the amount of issued electronic cash encrypted with thetemporary key Ktsu. The signature unit 34 compares a value derived bydecrypting the signature appended to the amount of issued electroniccash by the decryption unit 33 with the public key Kpu of the userdevice included in the certificate of the user device 1 obtained throughthe mutual authentication, later described, with a hash value derived byapplying a hash function to the amount of issued electronic cashdecrypted with the temporary key Ktsu, and determines that the amount ofissued electronic cash is not tampered if they are identical. If it isdetermined that the amount of issued electronic cash is tampered, theprocessing is aborted. When the amount of issued electronic cash is nottampered, the processing proceeds to step S16, where the mutualauthentication unit 31 of the center 3 mutually authenticates with themutual authentication unit 51 of the clearing house 5, and the center 3and the clearing house 5 share a temporary key Ktsp. The procedure forthe mutual authentication will be described later with reference to FIG.4. At step S17, the signature unit 34 of the center 3 further appends asignature of the center 3 to the amount of issued electronic cashappended with the signature of the user device. The encryption unit 32encrypts the certificate of the user device 1, the credit card numberencrypted with the public key Kppg of the clearing house 5, and theamount of issued electronic cash appended with the signature of thecenter 3 and the signature of the user device 1, with the temporary keyKtsp. The communication unit 37 transmits the encrypted data to theclearing house 5. The communication unit 56 of the clearing house 5receives the data transmitted thereto from the center 3.

At step S18, the decryption unit 53 of the clearing house 5 decrypts thedata received from the center 3 with the temporary key Ktsp, and thesignature unit 54 of the clearing house 5 verifies the signature of thecenter 3 and the signature of the user device 1, appended to the amountof issued electronic cash, to confirm that the amount of issuedelectronic cash is not tampered. Since the processing for verifying thesignatures is similar to that at step S15, explanation thereon isomitted. If the signature unit 54 finds that the amount of issuedelectronic cash is tampered, the processing is aborted. When the amountof issued electronic cash is not tampered, the processing proceeds tostep S19, where the decryption unit 53 decrypts the credit card numberencrypted with the public key Kppg of the clearing unit 5 with a secretkey Kspg of the clearing house 5 previously stored therein to derive thecredit card number. Continuing with step S20, the clearing unit 55delivers credit and transfer instructions to the credit card company 7through the communication unit 56.

At step S21, the signature unit 54 appends a signature of the clearinghouse 5 to the verified result at step S18 and step S19, and theprocessed result at step S20. The encryption unit 52 encrypts theverified result and processed result appended with the signature withthe temporary key Ktsp. The communication unit 56 transmits theencrypted verified result and processed result to the center 3. Thecommunication unit 37 of the center 3 receives the verified result andthe processed result transmitted thereto from the clearing house 5, andthe decryption unit 33 decrypts the verified result and the processedresult received from the clearing house 5. If the verified result thusreceived indicates a fraud, and the processed result indicates that theprocessing was not normally completed, the processing is aborted.

If the verified result received at step S21 indicates that there is nofraud, and the processed result indicates that the processing wasnormally completed, the processing proceeds to step S22, where themutual authentication unit 31 of the center 3 mutually authenticateswith the mutual authentication unit 41 of the virtual bank 4, and thecenter 3 and the virtual bank 4 share a temporary key Ktsb. Theprocedure for the mutual authentication will be described later withreference to the flow chart of FIG. 4. At step S23, the encryption unit32 encrypts the certificate of the user device 1, and the amount ofissued electronic money appended with the signature of the center 3 andthe signature of the user device 1 with the temporary key Ktsb. Thecommunication unit 37 transmits the encrypted certificate of the userdevice 1 and electronically issued amount to the virtual bank 4. Thecommunication unit 46 of the virtual bank 4 receives the certificate ofthe user device 1 and the electronically issued amount transmittedthereto from the center 3.

At step S24, the decryption unit 43 of the virtual bank 4 decrypts thecertificate of the user device 1 and the electronically issued amountreceived from the center 3 with the temporary key Ktsb, and thesignature unit 44 verifies the signature of the center 3 and thesignature of the user device 1 appended to the amount of issuedelectronic cash to confirm that the amount of issued electronic cash isnot tampered. Since the processing for verifying the signatures issimilar to that at step S15, explanation thereon is omitted. If thesignature unit 44 finds tampering in the amount of issued electroniccash, the processing is aborted. When the amount of issued electroniccash is not tampered, the account management unit 45 of the virtual bank4 generates a user ID, and stores the amount of issued electronic moneycorresponding to the user ID at step S25. At step S26, the signatureunit 44 appends a signature of the virtual bank 4 to the user ID. Theencryption unit 42 encrypts the user ID with the temporary key Ktsb. Thecommunication unit 46 transmits the encrypted user ID to the center 3.The communication unit 37 of the center 3 receives the user IDtransmitted by the virtual bank 4.

At step S27, the decryption unit 33 of the center 3 decrypts the user IDtransmitted by the virtual bank 4 with the temporary key Ktsb, and theuser device management unit 35 stores and manages a set of the decrypteduser ID, the public key Kpu of the user device received at step S13, andthe credit card number encrypted with the public key Kppg of theclearing house 5 received at step S14. At step S28, the signature unit34 of the center 3 appends a signature of the center 3 to the user ID.The encryption unit 32 encrypts the user ID with the temporary key Ktsu.The communication unit 37 transmits the encrypted user ID to the userdevice. The communication unit 16 of the user device 1 receives the userID transmitted by the center 3.

At step S29, the decryption unit 14 of the user device 1 decrypts thereceived user ID with the temporary key Ktsu, and the storage unit 12stores the received user ID and the amount of issued electronic cashtransmitted at step S14 as the electronic cash balance.

In this way, during the initial deposit of funds, the user device 1registers the user ID in the virtual bank 4, and stores the amount ofissued electronic cash identical to the amount which has been previouslypaid in correspondence to the user ID.

The processing for the mutual authentication performed at step S13 inFIG. 2 between the mutual authentication unit 11 of the user device 1and the mutual authentication unit 31 of the center 1, using an ellipticcurve cryptosystem of 160 bits in length which is a public keycryptosystem, will be explained with reference to a flow chart of FIG.4. At step S41, the mutual authentication unit 11 of the user device 1generates a 64-bit random number R1. At step S42, the mutualauthentication unit 11 of the user device 1 transmits the certificateincluding the public key Kpu of itself (acquired from the certificateauthority 5 at step S12) and the random number R1 to the mutualauthentication unit 31 of the center 3.

At step S43, the mutual authentication unit 31 of the center 3 decryptsthe signature (encrypted with the secret key Ksca of the certificateauthority 6) in the received certificate with the public key Kpca of thecertificate authority 6, which has been previously acquired, to extractthe public key Kpu of the user device 1 and the hash value of the nameof the user device 1, as well as to extract the public key Kpu of theuser device 1 and the name of the user device 1 which are stored in thecertificate in the form of clear text. If the certificate is true oneissued by the certificate authority, the signature in the certificatecan be decrypted, and the public key Kpu and the hash value of the nameof the user device 1 produced by the decryption match the public key Kpuof the user device 1 stored in the certificate in the form of clear textand the hash value derived by applying the hash function to the name ofthe user device 1. This authenticates that the public key Kpu is nottampered but is true one. If the signature cannot be decrypted, or ifthe hash values do not match even if it can be decrypted, this meansthat the public key is not true or the user device is not true. In thisevent, the processing is aborted.

When proper authentication result is derived, the mutual authenticationunit 31 of the center 3 generates a 64-bit random number R2 at step S44.At step S45, the mutual authentication unit 31 of the center 3 generatesa coherence of the random number R1 and the random number R2, R1∥R2. Atstep S46, the mutual authentication unit 31 of the center 3 encrypts thecoherence R1∥R2 with a secret key Ksesc of itself. At step S47, themutual authentication unit 31 of the center 3 encrypts the coherenceR1∥R2 with the public key Kpu of the user device 1 acquired at step S43.At step S48, the mutual authentication unit 31 of the center 3 transmitsa certificate (which has been previously acquired from the certificateauthority) including the coherence R1∥R2 encrypted with the secret keyKsesc, the coherence R1∥R2 encrypted with the public key Kpu, and thepublic key Kpesc of itself to the mutual authentication unit 11 of theuser device 1.

At step S49, the mutual authentication unit 11 of the user device 1decrypts the signature in the received certificate with the public keyKpac of the certificate authority, which has been previously acquired,and extracts the public key Kpesc from the certificate if it is correct.Since the processing in this event is similar to that at step S43,explanation thereon is omitted. At step S50, the mutual authenticationunit 11 of the user device 1 decrypts the coherence R1∥R2 encrypted withthe secret key Ksesc of the center 3 with the public key Kpesc acquiredat step s49. At step S51, the mutual authentication unit 11 of the userdevice 1 decrypts the coherence R1∥R2 encrypted with the public key Kpuof itself with the secret key Ksu of itself. At step S52, the mutualauthentication unit 11 of the user device 1 compares the coherence R1∥R2decrypted at step S50 with the coherence R1∥R2 decrypted at step S51,and authenticates the center 3 as true if they match, and aborts theprocessing, regarding the center 3 as false, if they do not match.

When a true authentication result is derived, the mutual authenticationunit 11 of the user device 1 generates a 64-bit random number R3 at stepS53. At step S54, the mutual authentication unit 11 of the user device 1generates a coherence R2∥R3 of the random number R2 acquired at step S50and the random number R3 generated thereby. At step S55, the mutualauthentication unit 11 of the user device 1 encrypts the coherence R21R3 with the public key Kpesc acquired at step S49. At step S56, themutual authentication unit 11 of the user device 1 transmits theencrypted coherence R2∥R3 to the mutual authentication unit 31 of thecenter 3.

At step S57, the mutual authentication unit 31 of the center 3 decryptsthe encrypted coherence R21 R3 with the secret key Ksesc of itself. Atstep S58, the mutual authentication unit 31 of the center 3authenticates the user device 1 as a true user device if the decryptedrandom number R2 matches the random number R2 generated at step S44 (therandom number R2 before being encrypted), and aborts the processing,regarding the user device 1 as a false user device, if they do notmatch.

As described above, the mutual authentication unit 31 of the center 3and the mutual authentication unit 11 of the user device 1 mutuallyauthenticate. The random numbers utilized for the mutual authenticationare utilized as temporary keys which are effective only in theprocessing subsequent to the mutual authentication.

The processing performed by the user device 1 for depositing funds tothe virtual bank 4 second and subsequent times will be explained withreference to FIG. 5. At step S71, the mutual authentication unit 11 ofthe user device 1 mutually authenticates with the mutual authenticationunit 31 of the center 3, and shares a temporary key Ktsu which is usedbetween the center 3 and the user device 1. Since the procedure for themutual authentication is similar to that previously explained withreference to FIG. 4, explanation thereon is omitted. At step S72, thesignature unit 15 of the user device 1 appends a signature of a user 1to the user ID and the amount of issued electronic cash. In this event,the signature may be collectively appended to the user ID and the amountof issued electronic cash. The encryption unit 13 of the user device 1encrypts the user ID and the amount of issued electronic cash, appendedwith the signature, with the temporary key Ktsu, and the communicationunit 16 transmits the user ID and the amount of issued electronic cashencrypted with the temporary key Ktsu to the center 3. The communicationunit 37 of the center 3 receives the user ID and the amount of issuedelectronic cash encrypted with the temporary key Ktsu, which has beentransmitted thereto from the user device 1.

At step S73, the decryption unit 33 of the center 3 decrypts the user IDand the amount of issued electronic cash encrypted with the temporarykey Ktsu, with the temporary key Ktsu, and the signature unit 34verifies the signature appended to the amount of issued electronic cashresulting from the decryption to confirm that the amount of issuedelectronic cash is not tampered. Since the verification of the signatureis similar to the processing previously explained at step S15 in FIG. 2,explanation thereon is omitted. If the signature unit 34 finds tamperingin the amount of issued electronic cash, the processing is aborted. Whenthe amount of issued electronic cash is not tampered, the processingproceeds to step S74, where the user management unit 35 of the center 3derives a credit card number, which has been encrypted with the publickey Kppg of the clearinghouse stored at step S27 in FIG. 2,corresponding to the user ID.

Since step S75 through step S81 are similar to step S16 through stepS22, respectively, in FIG. 2, explanation thereon is omitted.

At step S82, the signature unit 34 of the center 3 appends a signatureof the center 3 to the user ID and the amount of issued electronic cash,respectively appended with the signature of the user device, received atstep S72. The encryption unit 32 encrypts the certificate of the userdevice 1, the user ID and the amount of issued electronic cash with thetemporary key Ktsb. The communication unit 37 transmits these to thevirtual bank 4. The communication unit 46 of the virtual bank 4 receivesthe certificate of the user device 1, the user ID and the amount ofissued electronic cash transmitted by the center 3.

At step S83, the decryption unit 43 of the virtual bank 4 decrypts thecertificate of the user device 1, the user ID and the amount of issuedelectronic cash, received at step S82, with the temporary key Ktsb, andthe signature unit 44 verifies the signature of the center 3 and thesignature of the user device 1 appended to the amount of issuedelectronic cash to confirm that the amount of issued electronic cash isnot tampered. Since the verification of the signatures is similar to theprocessing previously explained at step S15 in FIG. 2, explanationthereon is omitted. If the signature unit 44 finds tampering in theamount of issued electronic cash, the processing is aborted. When theamount of issued electronic cash is not tampered, the account managementunit 45 adds the amount of electronic cash issued this time to theamount of electronic cash corresponding to the user ID at step S84.

Since step S85 through step S87 are similar to the processing at stepS26 through step S28, respectively, in FIG. 2, explanation thereon isomitted.

At step S88, the storage unit 12 of the user device 1 adds the amount ofissued electronic cash transmitted at step S72 to the electronic cashbalance stored in the storage unit 12, and stores the resulting amount.

In this way, the user device 1 can deposit electronic cash to thevirtual bank 4 second and subsequent times in a similar manner.

Next, the processing performed by the shop 2 for registering itself inthe center 3 and the virtual bank 4 will be explained with reference toFIG. 6. At step S91, the communication unit 26 of the shop 2 transmitsshop information, account information, and a public key Kpm of the shop2 to the certificate authority 6. Here, the shop information refers tothat with which the shop 2 can be identified, for example, ID or thelike. The certificate authority 6 receives the data transmitted by thecommunication unit 26 of the shop 2. At step S92, the certificateauthority 6 applies a predetermined hash function to the received shopinformation, account information, and public key Kpm of the shop 2 toderive a hash value which is encrypted with a secret key Ksca of thecertificate authority 6 to create a signature which is added to the shopinformation, the account information, and the public key Kpm of the shop2 to create a certificate which is transmitted to the shop 2. FIG. 7shows an example of the certificate for a shop. The certificate mayinclude the name of the certificate authority (ID), certificate number(ID), expiration date of the certificate, and so on, in addition tothose enumerated above. The communication unit 26 of the shop 2 receivesthe data transmitted by the certificate authority 6.

At step S93, the mutual authentication unit 21 of the shop 2 mutuallyauthenticates with the mutual authentication unit 31 of the center 3,and the shop 2 and the center 3 share the coherence R2∥R3 of the randomnumbers at step S54 and at step S57 in FIG. 4 as a temporary key Ktsm.Since the procedure for the mutual authentication is similar to theprocessing in FIG. 4, explanation thereon is omitted. At step S94, theencryption unit 23 of the shop 2 encrypts the account number of shop 2,previously stored therein, with the public key Kppg of the clearinghouse 5. The encryption unit 23 of the shop 2 further encrypts theaccount number encrypted with the public key Kppg of the clearing house5 with the temporary key Ktsm, and also encrypts the certificate of theshop 2 with the temporary key Ktsm. The communication unit 26 transmitsthe account number and the certificate of the shop 2, encrypted with thetemporary key Ktsm, to the center 3. The communication unit 37 of thecenter 3 receives the account number and the certificate encrypted withthe temporary key Ktsm, transmitted thereto from the shop 2, and thedecryption unit 33 decrypts the account number and the certificateencrypted with the temporary key Ktsm.

Continuing with step S95, the mutual authentication unit 31 of thecenter 3 mutually authenticates with the mutual authentication unit 51of the clearing house 5, and the mutual authentication unit 31 of thecenter 3 and the mutual authentication unit 51 of the clearing house 5share the coherence R21 R3 of the random numbers at step S54 and at stepS57 in FIG. 4 as a temporary key Ktsp. Since the procedure for themutual authentication is similar to the processing in FIG. 4,explanation thereon is omitted. At step S96, the signature unit 34 ofthe center 3 appends a signature to the account number of the shop 2.The encryption unit 32 further encrypts the certificate of the shop 2,the account number appended with the signature of the center 3 andencrypted with the public key Kppg of the clearing house 5 with thetemporary key Ktsp. The communication unit 37 transmits the dataencrypted with the temporary key Ktsp to the clearing house 5. Thecommunication unit 56 of the clearing house 5 receives the datatransmitted thereto from the center 3.

At step S97, the decryption unit 53 of the clearing house 5 decrypt thedata received from the center 3 with the temporary key Ktsp. Thesignature unit 54 of the clearing house 5 verifies the signature of thecertificate authority 6 appended to the certificate to confirm that thecertificate is not tampered. If the signature unit 34 finds tampering inthe certificate, the processing is aborted. When the certificate is nottampered, the processing proceeds to step S98, where the signature unit54 applies a hash function to the received account number to calculate ahash value, and verifies whether the calculated hash value matches ahash value in the certificate to confirm that the account number is nottampered. If the signature unit 34 finds tampering in the accountnumber, the processing is aborted. When the account number is nottampered, at step S99, the signature unit 54 appends a signature to theverified result at step S98 and at step 98. The encryption unit 52encrypts the verified result appended with the signature with thetemporary key Ktsp. The communication unit 56 transmits the verifiedresult encrypted with the temporary key Ktsp to the center 3. Thecommunication unit 37 of the center 3 receives the verified resulttransmitted by the clearing house 5, and the decryption unit 33 decryptsthe verified result received from the clearing house 5 with thetemporary key Ktsp.

At step 100, the mutual authentication unit 31 of the center 3 mutuallyauthenticates with the mutual authentication unit 41 of the virtual bank4, and the center 3 and the virtual bank 4 share the coherence R2∥R3 ofthe random numbers at step S54 and at step S57 in FIG. 4 as thetemporary key Ktsb. Since the procedure for the mutual authentication issimilar to the processing in FIG. 4, explanation thereon is omitted. Atstep S101, the signature unit 34 of the center 3 appends a signature ofthe center 3 to the certificate of the shop 2. The encryption unit 32encrypts the certificate of the shop 2 appended with the signature ofthe center 3 with the temporary key Ktsp. The communication unit 37transmits the encrypted certificate to the virtual bank 4. Thecommunication unit 46 of the virtual bank 4 receives the certificate ofthe shop 2 transmitted thereto from the center 3.

At step S102, the decryption unit 43 of the virtual bank 4 decrypts thecertificate of the shop 2 received from the center 3 with the temporarykey Ktsb. The signature unit 44 verifies the signature of the center 3appended to the certificate of the shop 2 and the signature of thecertificate authority 6 included in the certificate of the shop 2 toconfirm that the certificate of the shop 2 is not tampered. If tamperingis found in the certificate of the shop 2, the processing is aborted.When the certificate of the shop 2 is not tampered, the accountmanagement unit 45 of the virtual bank 4 generates a shop ID and storesthe amount of sales corresponding to the shop ID at step S103.

Since the processing at step S104 through step S106 is similar to theprocessing at step S26 through step S28, respectively, in FIG. 2,explanation thereon is omitted.

At step S107, the decryption unit 24 of the shop 2 decrypts the receivedshop ID, and the storage unit 22 stores the shop ID received at stepS106.

In this way, the shop 2 registers itself in the center 3 and the virtualbank 4, and stores the shop ID.

Next, a transfer of electronic cash from the user device 1-2 to the userdevice 1-1 will be explained with reference to a flow chart of FIG. 8.At step S121, the mutual authentication unit 11-2 of the user device 1-2mutually authenticates with the mutual authentication unit 11-1 of theuser device 1-1, and the user device 1-2 and the user device 1-1 sharethe coherence R2∥R3 of the random numbers at step S54 and at step S57 inFIG. 4 as a temporary key Ktuu. Since the procedure for the mutualauthentication is similar to the processing in FIG. 4, explanationthereon will be omitted. At step S122, the signature unit 15-2 of theuser device 1-2 appends a signature of the user device 1-2 to dataindicative of an amount to be transferred, set by the user, and theencryption unit 13-2 encrypts the data indicative of the amount to betransferred with the temporary key Ktuu. The communication unit 16-2 ofthe user device 1-2 transmits the data indicative of the amountencrypted with the temporary key Ktuu to the communication unit 16-1 ofthe user device 1-1. The communication unit 16-1 of the user device 1-1receives the data indicative of the amount encrypted with the temporarykey Ktuu.

At step S123, the decryption unit 14-1 of the user device 1-1 decryptsthe encrypted data indicative of the amount with the temporary key Ktuu,and the storage unit 12-1 adds the amount to be transferred to anuncleared amount stored therein, and stores the resulting value. Theuncleared amount refers to the total amount transferred and receivedfrom other user devices 1. At step S124, the signature unit 15-1 of theuser device 1-1 appends a signature of the user device 1-1 to the dataindicative of the amount to be transferred, and the encryption unit 13-1encrypts the data indicative of the amount to be transferred with thetemporary key Ktuu. The communication unit 16-1 of the user device 1-1transmits the encrypted data indicative of the amount to thecommunication unit 16-2 of the user device 1-2. The communication unit16-2 of the user device 1-2 receives the encrypted data indicative ofthe amount.

At step S125, the decryption unit 14-2 of the user device 1-2 decryptsthe encrypted data indicative of the amount with the temporary key Ktuu,and the storage unit 12-2 subtracts the amount to be transferred,derived by the decryption, from an uncleared amount stored therein, andstores the resulting difference. At step S126, the signature unit 15-2appends a signature of the user device 1-2 to data indicative of thecompleted transfer of electronic cash. The encryption unit 13-2 encryptsthe data indicative of the completed transfer of electronic cashappended with the signature, with the temporary key Ktuu. Thecommunication unit 16-2 transmits the encrypted data indicative of thecompleted transfer of electronic cash to the communication unit 16-1 ofthe user device 1-1. The communication unit 16-1 of the user device 1-1receives the data indicative of the completed transfer of electroniccash encrypted with the temporary key Ktuu, followed by the terminationof the processing.

As described above, the user device 1-2 transfers electronic cash to theuser device 1-1.

FIG. 9 is a flow chart for explaining other processing for transferringelectronic cash from the user device 1-2 to the user device 1-1. At stepS131, the mutual authentication unit 11-2 of the user device 1-2mutually authenticates with the mutual authentication unit 11-1 of theuser device 1-1, and the user device 1-2 and the use device 1-1 sharethe coherence R2∥R3 of the random numbers at step S54 and at step S57 inFIG. 4 as a temporary key Ktuu. Since the procedure for the mutualauthentication is similar to the processing in FIG. 4, explanationthereon is omitted. At step S132, the signature unit 15-2 of the userdevice 1-2 appends a signature of the user device 1-2 to data indicativeof an amount to be transferred, set by the user. The encryption unit13-2 encrypts the user ID of the user device 1-2 with the public keyKpesc of the center 3, and also encrypts the data indicative of theamount to be transferred and the user ID of the user device 1-2encrypted with the public key Kpesc of the center 3 with the temporarykey Ktuu. The communication unit 16-2 of the user device 1-2 transmitsthe data indicative of the amount and the user ID of the user device 1-2encrypted with the temporary key Ktuu to the communication unit 16-1 ofthe user device 1-1. The communication unit 16-1 of the user device 1-1receives the encrypted data indicative of the amount and user ID of theuser device 1-2.

At step S133, the decryption unit 14-1 of the user device 1-1 decryptsthe encrypted data indicative of the amount and user ID of the userdevice 1-2 with the temporary key Ktuu. The storage unit 12-1 adds theamount to be transferred to an uncleared amount stored therein, andstores the resulting amount and the user ID of the user device 1-2encrypted with the public key Kpesc of the center 3.

Since the processing at step S134 through step S136 is similar to theprocessing at step S124 through step S126, respectively, in FIG. 8,explanation thereon is omitted.

With the processing in FIG. 9, the user device 1-2 transfers electroniccash to the user device 1-1, while the user device 1-1 stores the userID of the user device 1-2 together with the transferred cash.

Next, the processing for a payment from the user device 1 to the shop 2with electronic cash will be explained with reference to a flow chart ofFIG. 10. At step S151, the user confirms the electronic cash balancestored in the storage unit 12 of the user device 1, and, if the balanceis insufficient for the amount of purchase, forces the user device 1 toexecute the processing illustrated in FIG. 5 to store a required amountof electronic cash. At step S152, the mutual authentication unit 11 ofthe user device 1 mutually authenticates with the mutual authenticationunit 21 of the shop 2, and the user device 1 and the shop 2 share thecoherence R2∥R3 of the random numbers at step S54 and at step S57 inFIG. 4 as a temporary key Ktum. Since the procedure for the mutualauthentication is similar to the processing in FIG. 4, explanationthereon is omitted.

At step S153, the encryption unit 13 of the user device 1 encryptsinformation on an article purchased from the shop 2 (information on apurchased article specified by the user through manipulations on theuser device 1, for example, an article ID representative of the article)with the public key Kpm of the shop 2 previously stored in the storageunit 12, encrypts the user ID with the public key Kpesc of the center 3previously stored in the storage unit 12, and encrypts an unclearedamount stored in the storage unit 12 with the public key Kpvb of thevirtual bank 4.

Next, the signature unit 15 of the user device 1 appends a signature ofthe user device 1 to the information on the purchased article encryptedwith the public key Kpm of the shop 2; the uncleared amount encryptedwith the public key Kpvb of the virtual bank 4; and the user IDencrypted with the public key Kpesc of the center 3; and the amount ofpurchase. Here, the signature of the user device 1 is appended to therespective information. Alternatively, the signature of the user device1 may be collectively appended to some or all of them. The encryptionunit 13 of the user device 1 further encrypts the information on thepurchased article encrypted with the public key Kpm of the shop 2 andappended with the signature; the user ID encrypted with the public keyKpesc of the center 3; the uncleared amount encrypted with the publickey Kpvb of the virtual bank 4; and the amount of purchase with thetemporary key Ktum. The communication unit 16 of the user device 1transmits these data encrypted with the temporary key Ktum to thecommunication unit 26 of the shop 2. The communication unit 26 of theshop 2 receives these data.

At step S154, the signature unit 24 of the shop 2 verifies the signaturein a variety of the received data to confirm whether or not they aretampered. If it is determined that they are tampered, the processing isaborted. When no tampering is determined, the decryption unit 24decrypts these data encrypted with the temporary key Ktum. Also, thedecryption key 24 decrypts the information on the purchased articleencrypted with the public key Kpm of the shop 2 with a secret key Ksm ofthe shop 2.

At step S155, the mutual authentication unit 21 of the shop 2 mutuallyauthenticates with the mutual authentication unit 31 of the center 3,and the shop 2 and the center 3 share the coherence R2∥R3 of the randomnumbers at step S54 and at step S57 in FIG. 4 as a temporary key Ktsm.Since the procedure for the mutual authentication is similar to theprocessing in FIG. 4, explanation thereon is omitted.

At step S156, the encryption unit 23 of the shop 2 encrypts the shop IDof the shop 2 stored in the storage unit 22 with the public key Kpesc ofthe center 3 acquired at step S155. The signature unit 25 appends asignature of the shop 2 to the shop ID which has been encrypted with thepublic key Kpesc of the center 3, and appends the signature of the shop2 to the amount of purchase which has been appended with the signatureof the user device 1 decrypted at step S154. The encryption unit 23encrypts the certificate of the user acquired at step S152; and the userID encrypted with the public key Kpesc of the center 3 and appended withthe signature of the shop and the signature of the user device 1; theuncleared amount encrypted with the public key Kpvb of the virtual bank4 and appended with the signature of the user device 1; the shop IDappended with the signature of the shop 2 and encrypted with the publickey Kpesc of the center 3; and the amount of purchase with the temporarykey Ktsm. The communication unit 26 transmits these data to thecommunication unit 37 of the center 3. The communication unit 37 of thecenter 3 receives these data encrypted with the temporary key Ktsm.

At step S157, the decryption unit 33 of the center 3 decrypts thecertificate of the user; the user ID encrypted with the public key Kpescof the center 3 and appended with the signature of the shop and thesignature of the user device; the uncleared amount encrypted with thepublic key Kpvb of the virtual bank 4 and appended with the signature ofthe user device 1; the shop ID appended with the signature of the shop 2and encrypted with the public key Kpesc of the center 3; and the amountof purchase appended with the signatures of the user device 1 and theshop 2, received at step S156, with the temporary key Ktsm. Thesignature unit 34 verifies the signature of the user device 1 and thesignature of the shop 2 to the amount of purchase; the signature of theshop and the signature of the user device 1 appended to the user ID; andthe signature of the shop 2 to the shop ID to confirm that the amount ofpurchase, the user ID and the shop ID are not tampered. If the signatureunit 34 finds tampering in any of the amount of purchase, the user IDand the shop ID, the processing is aborted. If any of the amount ofpurchase, the user ID and the shop ID is not tampered, the mutualauthentication unit 31 of the center 3 mutually authenticates with themutual authentication unit 41 of the virtual bank 4 at step S158, andthe center 3 and the virtual bank 4 share the coherence R2∥R3 of therandom numbers at step S54 and at step S57 in FIG. 4 as a temporary keyKtsb. Since the procedure for the mutual authentication is similar tothe processing in FIG. 4, explanation thereon is omitted.

At step S159, the signature unit 34 of the center 3 appends a signatureto the user ID, the shop ID, the amount of purchase, and the unclearedamount encrypted with the public key Kpvb of the virtual bank 4. Theencryption unit 32 of the center 3 encrypts the user ID, the shop ID,the amount of purchase, the uncleared amount encrypted with the publickey Kpvb of the virtual bank 4, and the signature with the temporary keyKtsb. The communication unit 37 transmits these data to thecommunication unit 46 of the virtual bank 4. The communication unit 46of the virtual bank 4 receives these data.

At step S160, the decryption unit 43 of the virtual bank 4 decrypts theencrypted user ID, shop ID, amount of purchase, uncleared amountencrypted with the public key Kpvb of the virtual bank 4, and signatureof the center 3 with the temporary key Ktsb. The signature unit 44verifies the signature of the center 3 to confirm that the user ID, theshop ID, the amount of purchase, and the uncleared amount encrypted withthe public key Kpvb of the virtual bank 4 are not tampered. If thesignature unit 44 finds tampering, the processing is aborted. Whentampering is not found in any of the user ID, the shop ID, the amount ofpurchase, and the uncleared amount encrypted with the public key Kpvb ofthe virtual bank 4, the account management unit 45 adds the amount ofpurchase to the amount of sales corresponding to the shop ID. At stepS161, the account management unit 45 subtracts the amount of purchasefrom the balance corresponding to the user ID, adds the uncleared amountto the balance corresponding to the user ID, and stores the resultingamount.

At step S162, the encryption unit 42 of the virtual bank 4 encrypts thebalance corresponding to the user ID stored at step S161 with the publickey Kpu of the user. The signature unit 44 signs the amount of purchase,and the balance corresponding to the user ID encrypted with the publickey Kpu of the user. The communication unit 46 transmits the amount ofpurchase, the balance corresponding to the user ID encrypted with thepublic key Kpu of the user, and the signature to the communication unit37 of the center 3. The communication unit 37 of the center 3 receivesthese data.

At step S163, the decryption unit 33 of the center 3 decrypts the amountof purchase, the balance corresponding to the user ID encrypted with thepublic key Kpu of the user, and the signature of the virtual bank 4. Thesignature unit 34 of the center 3 appends a signature of the center 3 tothe amount of purchase, the balance corresponding to the user IDencrypted with the public key Kpu of the user, and the signature of thevirtual bank 4. The encryption unit 32 encrypts the amount of purchase,the balance corresponding to the user ID encrypted with the public keyKpu of the user, and the signature of the virtual bank 4, which havebeen appended with the signature of the center 3, with the temporary keyKtsm. The communication unit 37 transmits the amount of purchase, thebalance corresponding to the user ID encrypted with the public key Kpuof the user, the signature of the virtual bank 4, and the signature ofthe center 3, which have been encrypted with the temporary key Ktsm, tothe communication unit 26 of the shop 2. The communication unit 26 ofthe shop 2 receives these data.

At step S164, the decryption unit 24 of the shop 2 decrypts the receivedamount of purchase, balance corresponding to the user ID encrypted withthe public key Kpu of the user, signature of the virtual bank 4, andsignature of the center 3, with the temporary key Ktsm. The signatureunit 25 verifies the signature of the virtual bank 4 and the signatureof the center 3 to confirm that there is no tampering in the receivedamount of purchase and balance corresponding to the user ID encryptedwith the public key Kpu of the user. If the signature unit 25 findstampering, the processing is aborted. If there is no tampering in any ofthe received amount of purchase and balance corresponding to the user IDencrypted with the public key Kpu of the user, the processing proceedsto step S165, where the signature unit 25 appends the signature of theshop 2 to the amount of purchase, the balance corresponding to the userID encrypted with the public key Kpu of the user, the signature of thevirtual bank 4, and the signature of the center 3. The encryption unit23 encrypts the amount of purchase, the balance corresponding to theuser ID encrypted with the public key Kpu of the user, the signature ofthe virtual bank 4, the signature of the center 3, and the signature ofthe shop 2 with the temporary key Ktum. The communication unit 26transmits these data to the communication unit 16 of the user device 1.The communication unit 16 of the user device 1 receives these data.

At step S166, the decryption unit 14 of the user device 1 decrypts thereceived amount of purchase, balance corresponding to the user IDencrypted with the public key Kpu of the user, signature of the virtualbank 4, signature of the center 3, and signature of the shop 2 with thetemporary key Ktum. The signature unit 15 verifies the signature of thevirtual bank 4, the signature of the center 3, and the signature of theshop 2 to confirm that there is no tampering in the received amount ofpurchase, and balance corresponding to the user ID encrypted with thepublic key Kpu of the user. If the signature unit 15 finds tampering,the processing is aborted. If there is no tampering in any of thereceived amount of purchase, and balance corresponding to the user IDencrypted with the public key Kpu of the user, the storage unit 12confirms whether or not the received balance is equal to the amountderived by subtracting the amount of purchase from the balance stored inthe storage unit 12 prior to the start of the processing and adding theuncleared amount transmitted at step S153 to the resulting amount. Whenthe received balance is equal to the amount derived by subtracting theamount of purchase from the balance stored in the storage unit 12 priorto the start of the processing and adding the uncleared amounttransmitted at step S153 to the resulting amount, the balance is updatedand stored, and the uncleared amount is set to zero, followed by thetermination of the processing. If the received balance is not equal tothe amount derived by subtracting the amount of purchase from thebalance stored in the storage unit 12 prior to the start of theprocessing and adding the uncleared amount transmitted at step S153 tothe resulting amount, the processing is terminated.

As described above, the user device 1 make a payment to the shop 2through the virtual bank 4.

The processing for transferring proceeds to the account of the shop 2will be explained with reference to a flow chart of FIG. 11. At stepA181, the mutual authentication unit 21 of the shop 2 mutuallyauthenticates with the mutual authentication unit 31 of the center 3,and the shop 2 and the center 3 share the coherence R21 R3 of the randomnumbers at step S54 and at step S57 in FIG. 4 as a temporary key Ktsm.Since the procedure for the mutual authentication is similar to theprocessing in FIG. 4, explanation thereon is omitted. At step S182, theencryption unit 23 of the shop 2 encrypts the shop ID of the shop 2,stored in the storage unit 22 at step S107 in FIG. 6, with the temporarykey Ktsm. The signature unit 25 of the shop 2 appends a signature to theencrypted shop ID, and the encryption unit 23 encrypts the shop ID andthe signature with the temporary key Ktsm. The communication unit 26transmits the shop ID and the signature encrypted with the temporary keyKtsm to the communication unit 37 of the center 3. The communicationunit 37 of the center 3 receives the shop ID and the signature.

At step S183, the decryption unit 33 of the center 3 decrypts the shopID and the signature encrypted with the temporary key Ktsm. Thesignature unit 34 verifies the signature appended to the shop ID,derived by the decryption, to confirm that the shop ID is not tampered.If tampering is found in the shop ID, the processing is aborted. If notampering is found in the shop ID, the mutual authentication unit 31 ofthe center 3 mutually authenticates with the mutual authentication unit41 of the virtual bank 4 at step S184, and the center 3 and the virtualbank 4 share the temporary key Ktsb. Since the procedure for the mutualauthentication is similar to the processing in FIG. 4, explanationthereon is omitted. At step S185, the signature unit 34 of the center 3appends a signature to the shop ID confirmed at step S183, and theencryption unit 32 encrypts the shop ID and the signature with thetemporary key Ktsb. The communication unit 37 transmits the shop ID andthe signature encrypted with the temporary key Ktsb to the communicationunit 46 of the virtual bank 4. The communication unit 46 of the virtualbank 4 receives the shop ID and the signature.

At step S186, the decryption unit 43 of the virtual bank 4 decrypts theshop ID and the signature encrypted with the temporary key Ktsb. Thesignature unit 44 verifies the signature appended to the shop ID,derived by the decryption, to confirm that the shop ID is not tampered.If tampering is found in the shop ID, the processing is aborted. If notampering is found in the shop ID, the account management unit 45 clearsthe amount of proceeds corresponding to the shop ID stored in theaccount management unit 45. At step S187, the signature unit 44 appendsa signature to the amount of proceeds corresponding to the shop IDstored in the account management unit 45 (the amount of proceeds beforeit is cleared), and the encryption unit 42 encrypts the amount ofproceeds and the signature with the temporary key Ktsb. Thecommunication unit 46 transmits the amount of proceeds and the signatureencrypted with the temporary key Ktsb to the communication unit 37 ofthe center 3. The communication unit 37 of the center 3 receives theamount of proceeds and the signature.

At step S188, the mutual authentication unit 31 of the center 3 mutuallyauthenticates with the mutual authentication unit 51 of the clearinghouse 5, and the center 3 and the clearing house 5 share the temporarykey Ktsp. Since the procedure for the mutual authentication is similarto the processing in FIG. 4, explanation thereon is omitted. At stepS189, the signature unit 34 of the center 3 appends a signature to theamount of proceeds received from the virtual bank 4 at step S187. Theencryption unit 32 encrypts the certificate of the shop received fromthe shop 2 during the processing of the mutual authentication at stepS181; the account number corresponding to the shop ID stored in the shopmanagement unit 36 at step 105 in FIG. 6 and encrypted with the publickey Kppg of the clearing house 5; and the amount of proceeds appendedwith the signature of the center 3, with the temporary key Ktsp. Thecommunication unit 37 transmits the certificate of the shop, the accountnumber corresponding to the shop ID, and the amount of proceeds,encrypted with the temporary key Ktsp, to the communication unit 56 ofthe clearing house 5. The communication unit 56 of the clearing house 5receives the certificate of the shop, the account number correspondingto the shop ID, and the amount of proceeds encrypted with the temporarykey Ktsp.

At step S190, the decryption unit 53 of the clearing house 5 decryptsthe certificate of the shop, the account number corresponding to theshop ID, and the amount of proceeds. The signature unit 54 confirms thatthe decrypted amount of proceeds is not tampered. If tampering is found,the processing is aborted. If no tampering is found, the clearing unit55 forces the bank to execute the processing for transferring the amountcorresponding to the amount of proceeds to the account numbercorresponding to the shop ID. At step S191, the signature unit 54appends a signature to data indicative of the result of the processingat step S190. The communication unit 56 transmits the data indicative ofthe result of the deposit processing, and the signature to thecommunication unit 37 of the center 3. The communication unit 37 of thecenter 3 receives the data indicative of the result of the depositprocessing, and the signature.

At step S192, the decryption unit 33 of the center 3 decrypts the dataindicative of the result of the deposit processing, and the signature.The signature unit 34 confirms that there is no tampering in the dataindicative of the result of the deposit processing. If tampering isfound, the processing is aborted. If no tampering is found, thesignature unit 34 appends a signature to the data indicative of theresult of the deposit processing. The communication unit 37 transmitsthe data indicative of the result of the deposit processing, and thesignature to the communication unit 26 of the shop 2. The communicationunit 26 of the shop 2 receives the data indicative of the result of thedeposit processing, and the signature, and the decryption unit 24 of theshop 2 decrypts the data indicative of the result of the depositprocessing, and the signature. The signature unit 25 confirms that thereis no tampering in the data indicative of the result of the depositprocessing. The storage unit 22 stores the data indicative of the resultof the deposit processing, followed by the termination of theprocessing.

As described above, the deposit of proceeds to the account of the shop 2is processed.

In this way, the user is identified at each device using the user ID.Each device is not aware of personal information, so that upon detectionof a fraud, the center 3 finds account information encrypted with thepublic key Kppg of the clearing house 5 based on the user ID, andrequests the clearing house 5 to disclose the account information. Basedon that, the personal information is identified for the certificateauthority 6, the credit card company 7, or the bank 8. In this event,since it is possible to control in which case each device disclosesinformation, and to manage logs of references to them, personalinformation will not be unnecessarily disclosed.

It is assumed in this specification that a system refers to a generalapparatus which is composed of a plurality of devices.

As a providing medium for providing a user device with a computerprogram for executing the processing as described above, communicationmedia such as networks, satellites, cables and so on may be utilized inaddition to recording media such as magnetic disks, CD-ROM, solid-statememories and so on.

Also, while FIG. 1 of the present invention illustrates in such a mannerthat the user device 1, the shop 2, the center 3, the virtual bank 4 andthe clearing house 5, the certificate authority 6, and the credit cardcompany 7 and the bank 8 exist independently of one another, some ofthese functions may be grouped into one. For example, the functions ofthe center 3, the virtual bank 4 and the clearing house 5 may becombined into the center 3.

In the present invention, the shop 2 need not hold any specialapparatus, and is only required to register itself in the center 3. Thisis implemented by the center 3 which manages an ID issued to a card andprovides it to the shop.

According to an electronic cash system of the invention, an accountmanagement apparatus stores information for identifying the user and theamount of money utilized by the user based on previously depositedfunds, a settlement processing apparatus instructs the paymentinstitution to settle, and a control apparatus manages the informationfor identifying a user, and an account number in the payment institutionof the user, encrypted with a public key of the settlement processingapparatus, instructs the account management apparatus to change thebalance of the deposited funds of the user, stored therein, based on theinformation for identifying the user, and instructs the settlementprocessing apparatus to execute a settlement based on the account numberin the payment institution, so that the user can securely utilizeelectronic cash without the need for managing a special apparatus, eachapparatus cannot unnecessarily know personal information and informationon individual's purchase information, frauds can be detected, and thecirculation of money can be managed.

Although the invention herein has been described with reference toparticular embodiments, it is to be understood that these embodimentsare merely illustrative of the principles and applications of thepresent invention. It is therefore to be understood that numerousmodifications may be made to the illustrative embodiments and that otherarrangements may be devised without departing from the spirit and scopeof the present invention as defined by the appended claims.

INDUSTRIAL APPLICABILITY

The present invention can be utilized in an electronic cash system forelectronically managing the circulation of cash and information, and fordepositing and withdrawing funds.

1. An electronic cash system for processing a payment for an amount due,the payment being carried out using previously deposited funds, saidsystem comprising: an account management device, including: storagemeans for storing information identifying a user and information of anamount of money available to be utilized by the user based on thepreviously deposited funds; a settlement processing device, including:settlement instructing means for instructing a payment institution tosettle; and a control device, including: management means for managingthe information identifying the user and for managing an account numberin the payment institution of the user, the account number beingencrypted with a public key of said settlement processing device,balance change instructing means for instructing said account managementdevice to change a balance of the stored previously deposited funds ofthe user based on the information identifying the user, and settlementexecution instructing means for instructing said settlement instructingmeans of said settlement processing device to execute a settlementtransaction based on the account number in the payment institution. 2.An electronic cash system according to claim 1, wherein each one of saidaccount management device, said settlement processing device, and saidcontrol device includes an associated mutual authentication means forperforming predetermined mutual authentication processing with saidassociated mutual authentication means of another one of said accountmanagement device, said settlement processing device, and said controldevice before communication with the another one of said accountmanagement device, said settlement processing device, and said controldevice is initiated.
 3. An electronic cash system according to claim 1,wherein each one of said account management device, said settlementprocessing device, and said control device includes an associatedencryption means for encrypting data transmitted to another one of saidaccount management device, said settlement processing device, and saidcontrol device, and includes an associated decryption means forencrypting data received from the another one of said account managementdevice, said settlement processing device, and said control device. 4.An electronic cash system for processing a payment for an amount due,the payment being carried out using previously deposited funds, saidsystem comprising: a virtual bank, including: an account management unitoperable to store information identifying a user and information of anamount of money available to be utilized by the user based on thepreviously deposited funds; a clearinghouse, including: a clearing unitoperable to instruct a payment institution to settle; and a controlcenter, including: a user management unit operable to manage theinformation identifying the user and to manage an account number in thepayment institution of the user, the account number being encrypted witha public key of said clearinghouse, and a communication unit operable toinstruct said virtual bank to change a balance of the stored previouslydeposited funds of the user based on the information identifying theuser, and to instruct said clearing unit of said clearing house toexecute a settlement transaction based on the account number in thepayment institution.
 5. An electronic cash system according to claim 4,wherein each one of said virtual bank, said clearinghouse, and saidcontrol center includes an associated mutual authentication unitoperable to perform predetermined mutual authentication processing withsaid associated mutual authentication unit of another one of saidvirtual bank, said clearinghouse, and said control center beforecommunication with the another one of said virtual bank, saidclearinghouse, and said control center is initiated.
 6. An electroniccash system according to claim 4, wherein each one of said virtual bank,said clearinghouse, and said control center includes an associatedencryption unit operable to encrypt data transmitted to another one ofsaid virtual bank, said clearinghouse, and said control center, andincludes an associated decryption unit operable to encrypt data receivedfrom the another one of said virtual bank, said clearing house, and saidcontrol center.